Reinsurers Could Unlock The Cyber Insurance Market
Manuel Adam Frankfurt +49-693-399-9199
Maren Josefs London +44-20-7176-7050
Simon Ashworth London +44-20-7176-7243
Johannes Bender Frankfurt +49-693-399-9196
Taoufik Gharib New York +1-212-438-7253
The pandemic has changed the ways we shop, learn, and work, changing the shape of the cyber risk landscape. E-commerce is booming, brick-and-mortar retailers are shifting to digital platforms, and schools and offices have adapted to remote learning and working. In S&P Global Ratings' view, these digitalization trends are here to stay and will inevitably lead to a higher likelihood of cyber incidents.
The demand for cyber re/insurance coverage has increased significantly, mainly because of a heightened and rising awareness of cyber risks. The pandemic exacerbated the huge cyber reinsurance protection gap by causing existing and new clients to request larger limits and more inclusions in their policies' terms and conditions (T&C). In addition, some insurers are offering more-advanced services, including value-added assistance services, and we have seen a shift from nonaffirmative to affirmative (explicit) cyber coverage, leading to previously unrecognized premium volume.
Unsurprisingly, given the boom in digitalization, the re/insurance industry has seen a substantial pick-up in cyber losses, with far higher combined ratios in 2020 and 2021 than in previous years. According to AON PLC, the cyber combined ratio in the U.S. increased by more than 20 percentage points to 95.4% in 2020, from 74.5% in 2019. This was mainly attributed to the growing frequency and severity of ransomware and social engineering claims. These include claims for business interruption, rising incident response costs, and extortion demands. As a result, market rates for cyber protection in the U.S. have shot up since 2019, based on the increase in reference premium. Even after this increase in premium, cyber business lines were not as profitable for the re/insurance players in 2020 as they had been previously (see chart 1).
To sustain long-term profitability, we anticipate that insurers will continue to restructure their cyber insurance offerings--increasing rates further and adjusting their T&Cs, particularly the exclusions. Some insurers also intend to further reduce their pay out limits, especially where contracts include ransomware or business interruption components. At the same time, they hope to increase retention levels through 2021-2023. Depending on the region and T&Cs, policyholders could expect rate adjustments of up to 100% because the risk level has fundamentally changed.
Chart 1 | Significant Rate Increases Did Not Offset Combined Ratio Deterioration
Source: AON, The Council of Insurance Agents and Brokers.
Reinsurers' expertise in underwriting and modeling could help to build up the market. In our view, if cyber insurance is to meet the needs of customers in the future, it is more important than ever that the industry focus on risk differentiation, strong underwriting, and assistance services. Such services could help to reward customers whose cyber management is stronger (see "Cyber Risk In A New Era: Insurers Can Be Part Of The Solution," published on Sept. 2, 2020).
The market would benefit from the development of a comprehensive retrocession market, and the use of ILS or alternative capital to improve capacity. The market faces increasing demand, but limited supply. In our opinion, lack of capacity could be holding back the development of a sustainable cyber re/insurance market.
There is a significant demand for cyber coverage and we expect this business line to be one of the fastest growing insurance markets over the next decade. The dynamic change in claims pattern, rise of cyber threats, and huge accumulation risk creates an opportunity for larger reinsurance capacity. The number of reinsurers and insurers offering cyber coverage is rising in response. But with such a new segment, we think it is important for reinsurers to offer primary insurers support in managing the underwriting and risk management processes for cyber, as they do for natural catastrophe exposures.
Primary insurers rely relatively heavily on the reinsurance market for cyber insurance because it has a relatively short track record compared with more traditional and mature property/casualty lines of business. We estimate that they pass 35%-45% of global cyber premium to reinsurers, with some regional variation. In general, we consider reinsurers well-placed to enable further development of the cyber insurance market. The global multiline insurers usually have in-house expertise, but some midsize and more regionally focused insurers do not have the resources to boost their cyber skills. Therefore, they are more reliant on the external know-how offered by reinsurers.
That said, reinsurers also have to cope with structural challenges and systemic risks, the increase in cyber attacks, and an accumulation of exposures. These could include the nonaffirmative exposures we refer to as "silent cyber" (see "Cyber Risk In A New Era: Let's Not Be Quiet About Insurers' Exposure To Silent Cyber," published on March 2, 2021).
Silent Cyber
When cyber risk is neither explicitly included nor excluded within insurance policies, insurers can be exposed to additional cyber risks. We refer to these nonaffirmative cyber risks as "silent cyber." Where policies carry this type of uncertainty, insurers can find themselves facing losses to settle unexpected cyber-related claims.
Cyber underwriters have become more experienced and can base decisions on exponentially improved data sets. Nevertheless, they have been cautious about expanding insurance limits and T&Cs. Given how volatile cyber risks have been, we consider this restrained approach appropriate and that it indicates stronger risk management in the global reinsurance sector. We see a strong correlation between the sophistication of insurers' risk management and their approach to managing cyber risk. Generally speaking, reinsurers are pioneers in the assessment of cyber risk thanks to their complex enterprise risk management frameworks and investment in expertise.
Reinsurers have taken on an even more important role in the cyber insurance ecosystem over the past two years. They provide cyber security, share underwriting knowledge, give actuarial support, and help managing accumulation risk, in addition to enabling the pure risk transfer. Providing cyber services could increase the value and relevance of the policy for clients. For example, many clients would appreciate comprehensive IT expertise and services associated with prevention measures, crisis management, and data recovery. Transparent and proper legal and crisis communication is also key to avoiding or minimizing regulatory fines, third-party legal claims, and reputational damage.
For primary insurers, the support of their reinsurers has become critical to helping them manage cyber risk efficiently, strengthen their cyber risk resilience, perform cyber risk assessments, conduct a cyber defense strategy, and continuously monitor for upcoming cyber vulnerabilities. Understanding the risks is of the utmost importance. As a risk consultant, reinsurers can help primary insurers to design products and improve underwriting processes. The reinsurance industry continues to invest in building-up a strong network and developing strong partnerships so they can provide a broad spectrum of pre- and post-incident cyber solutions.
The cyber reinsurance market is still young, compared with the traditional reinsurance lines. As it establishes itself, it must overcome the issue of its limited loss experience and data history. The reinsurance industry has been further improving its dataset by collecting information based on the coverage it provides to the primary insurance market. This helps it enhance its value proposition. Therefore, we expect reinsurers to play a major role in cyber risk management and in providing adequately priced protection.
The proportional cyber treaty market is now well established, with more providers and more products on offer. Reinsurers have been able to increase their premiums, although profitability depends on the underlying primary insurance market. The stronger demand, combined with the hardening market, should help sustain risk-adjusted returns. As more reinsurers enter the market and the premium base expands, we expect them to gather an increased quantity of better-quality data. This will lead to improved modeling of risks and will likely reduce concentration risk as exposures are spread across a larger pool of reinsurers.
Most affirmative cyber insurance is still ceded via stand-alone proportional covers, most of which are quota shares. Typically, when primary insurers start to underwrite cyber risk, they pass more than 50% of the risk via quota share to a larger reinsurer. That said, as primary insurers gain in expertise, we are seeing a growing trend toward excess-of-loss and aggregate stop-loss cyber reinsurance. Specifically, there has been an increase in demand for aggregate excess-of-loss cover.
Total market limit of aggregate excess-of-loss cyber reinsurance
According to Swiss Re, the total market limit of aggregate excess-of-loss cyber reinsurance placed (excluding retrocession) increased by about a third to $2 billion in 2020, from $1.5 billion in 2019. This followed an increase of 100% in 2019, relative to 2018. However, only a limited number of players are operating in the facultative cyber market. As a result, the overall market is showing a shortfall in capacity, particularly for larger programs.
Most of the capacity for cyber reinsurance has been provided by large carriers. We expect this concentration to reduce in the next few years as more reinsurers enter the cyber reinsurance market, cautiously increase insurance limits, or expand their cyber product range. This should help establish stronger diversification in both the treaty and facultative market and will also support innovation in quantitative modeling, scenario analysis, and data quality.
So far, retrocession capacity for cyber reinsurers has been limited--only a few large reinsurers have allocated capacity to this submarket because they wish to avoid a potential increase in accumulation and concentration risk across their cyber portfolios. In addition, because most retrocession is offered by potential competitors in the reinsurance market for this line of business, reinsurers have also hesitated to share underwriting and claims pattern data with retrocessionaires. This has hindered the industry's ability to establish a comprehensive retrocession market. We have seen a bottlenecking effect down the value chain leading to reinsurance and primary insurers.
Problems in the cyber insurance market
Reinsurer's role
Large accumulation risk, given the potential for interrelated losses
Accumulation consultation and actuarial support, as well as access to a broad range of data and comprehensive scenario-modeling activities
Nonaffirmative, silent cyber exposure
Quantification of silent cyber and support in defining clear exclusions or adequately pricing extended coverage. Support in shifting nonaffirmative cover to affirmative cyber policies.
Short data history and very dynamic nature of cyber risks complicate the calculation of a risk-adequate premium
Provide data analytics and risk management platforms
The benefit of taking out insurance is limited where maximum payouts prove inadequate and cyber policies have many exclusions
Reinsurance capacity, cyber underwriting, and claims training
Lack of transparency and uncertainty regarding what elements are covered within cyber policies
Screening for clear wording, with defined limits and coverage, to improve transparency
Lack of IT expertise
Cyber security expertise, including a pool of knowledge and experts, plus a network of pre- and post-incident third-party vendors
Excess-of-loss retrocession on proportional portfolios is already available, but the traditional excess-of-loss retrocession market has yet to develop beyond the very early stages. In our view, a sound and reliable retrocession market would promote the development of a robust cyber re/insurance market. A more mature retrocession market could also enable reinsurers and primary insurers to manage capital more effectively, which could lead to stronger returns on capital.
The cyber market has limited capacity at every level--primary, reinsurance, and retro. Anywhere we see a lack of capacity, especially in a market which has enormous potential for economic losses, we believe that with risk-adequate pricing re/insurers have an opportunity to partner with the capital markets and so increase capacity (see chart 2). The global cyber protection market could follow the pattern used earlier, when natural catastrophe risks were first transferred to investors via catastrophe bonds.
Chart 2 | The Cyber Re/Insurance Value Chain
ILS--Insurance-linked securitization. Source: S&P Global Ratings.
For years, market participants have discussed the significant role ILS could play in adding capacity for cyber risk coverage, but the actual development of this submarket has been slow. We chiefly attribute this to:
In addition, the cyber market's initial focus was on capacity in proportional reinsurance, instead of excess-of-loss reinsurance structures, which ILS investors prefer. The few excess-of-loss contracts written were on a risk-attaching basis. This is not attractive to investors as their exposure is not confined to the period of the contract, and could last multiple years. The recent move to claims-made structures, which shorten the tail of the exposure to a year, could make cyber insurance more interesting to ILS investors.
It is evident that the market needs improved, comprehensive products that are backed by risk capital. However, capital market investors may still prefer to invest in natural catastrophe risk because it is less correlated to market risks. This gives them a clearer diversification profile and shorter tail. By contrast, a big cyber event could trigger a decline in stock and bond market values, increasing the correlation with capital markets.
The anticipated improvement in rates on line and the evolution of product components that have a tail of less than a year could encourage the expansion of ILS capacity. The key challenge is to gain clarity on what a cyber catastrophe could look like, given the limited history against which to evaluate such an event. It would also help to standardize event definitions and loss triggers.
It might be easiest for the ILS sector to first focus on affirmative cyber and to build up industry loss warranty (ILW) products that have a cyber industry loss index trigger. This cautious move would help investors to improve their understanding of cyber tail risk. Firms such as PCS in the U.S. have started to provide industry loss estimates for cyber loss events, which could be used to define trigger events in ILWs. Overall, given the relative infancy of the cyber re/insurance and retrocession market, we anticipate that it will take some time before the capital markets are ready to take on a bigger share of the risk. Investors typically rely heavily on historical claims data and risk modeling when taking on insurance underwriting risks.
The Singaporean government has set up the first example of a commercial cyber risk pool. The pool brings together traditional insurance and the ILS market to bolster capacity. In our opinion, this innovative and forward-looking solution offers a model that could be repeated in other markets.
In 2018, Pool Re, which is the U.K. government-backed provider of terrorism reinsurance, extended its cover to include certain cyber terrorism events. It is intended to provide protection in scenarios where the policyholder suffers substantial financial loss and operational disruption. The attack can originate anywhere, but it has to affect IT property/systems based in England, Wales, or Scotland.
Cyber risk pools can act as an insurance hub, collect data, and help to tackle dynamically changing cyber threats. Furthermore, such pools could support more risk-adequate pricing and underwriting through their increased focus on analytics and modeling. This may enable the provision of larger insurance limits and fewer exclusions within cyber insurance for policyholders.
It is more than 20 years since re/insurers in the U.S. started underwriting cyber risks, but the global market is still small and immature, particularly in Europe and Asia. This offers reinsurers a key growth area in which they could build long-term relationships with cedents.
Given the recent significant increases in the frequency and severity of cyber insurance claims, we believe the market is facing a period of rate increases and portfolio optimization. For participants, this requires balancing adequate rate increases, adjustments in coverage and T&C, accumulation management, and retention levels to optimize risk-adjusted returns. In our view, reinsurers' underwriting expertise and sophisticated risk management will be essential to this process. Risk differentiation, which means incorporating security standards and linking improvements in customers' information security levels to pricing considerations, will play a key role in developing a sustainable market.
That said, the market faces increasing demand and limited supply. The biggest risk to the development of a sustainable cyber re/insurance market is that capacity remains constrained. We are currently seeing undersupply in certain areas of reinsurance, retrocession, and alternative capital. As the underlying market continues to grow, so will the demand for capital further up the insurance value chain. In our opinion, the cyber re/insurance market would benefit from the evolution of a more comprehensive retrocession and ILS market in the next few years, supported by government risk pools. We see these steps as necessary to speeding up the expansion of capacity.
